jguard-swing-example has to be runned with the security manager activated, unlike jguard-struts-example that can run with or without it. It is a very basic demonstration of what jguard can do to secure standalone applications. It simply tries to read a file with the rights granted to the connected user.

Running jguard-swing-example in eclipse:

Configure java.security

  • open java.security located in ${java.home}/lib/security/
  • modify the property login.config.url.1 and set it to login.config.url.1=file:///jguard-swing-example/conf/java.login.config
  • modify the property policy.provider and set policy.provider=net.sf.jguard.ext.authorization.policy.classic.SingleAppPolicy

Configure java.policy

  • open java.policy file located in ${java.home}/lib/security/
  • add this :
grant codeBase "file:/<eclipse-workspace>/jguard-swing-example/eclipse-bin/-" {

	permission java.util.PropertyPermission "log4j.defaultInitOverride", "read";
	permission java.util.PropertyPermission "log4j.configuration", "read";
	permission java.util.PropertyPermission "log4j.configuratorClass", "read";
	permission java.util.PropertyPermission "log4j.ignoreTCL", "read";
	permission java.util.PropertyPermission "log4j.debug", "read";
	permission java.util.PropertyPermission "log4j.configDebug", "read";
	permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "read";
	permission java.util.PropertyPermission "user.dir", "read";
	
	permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
	permission java.awt.AWTPermission "accessEventQueue";
	permission java.awt.AWTPermission "accessClipboard";
	
	permission java.io.FilePermission "<M2_REPO>/log4j/log4j/1.2.12/log4j-1.2.12.jar", "read";
	
	permission javax.security.auth.AuthPermission "createLoginContext.jGuardSwingExample";
	permission javax.security.auth.PrivateCredentialPermission "net.sf.jguard.core.authentication.credentials.JGuardCredential net.sf.jguard.core.principals.JGuardPrincipal \"*\"","read";
        permission javax.security.auth.AuthPermission "modifyPrincipals";
        permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
        permission javax.security.auth.AuthPermission "modifyPublicCredentials";
        
        permission java.lang.RuntimePermission "modifyThreadGroup";
};

grant codeBase "file:/<eclipse-workspace>/jguard-ext/eclipse-bin/-" {

	permission java.util.PropertyPermission "net.sf.jguard.application.name", "read";
	permission java.util.PropertyPermission "com.sun.management.jmxremote.login.config", "read";
	permission java.util.PropertyPermission "org.dom4j.factory", "read";
	permission java.util.PropertyPermission "org.dom4j.DocumentFactory.singleton.strategy", "read";
	permission java.util.PropertyPermission "org.saxpath.driver", "read";
	permission java.util.PropertyPermission "org.dom4j.QName.singleton.strategy", "read";
	permission java.util.PropertyPermission "org.dom4j.QName.singleton.strategy", "read";
	
	permission java.io.FilePermission "\\conf\jGuardUsersPrincipals.xml", "read";
	permission java.io.FilePermission "<eclipse-workspace>/jguard-swing-example/conf/jGuardUsersPrincipals.xml", "read";
	permission java.io.FilePermission "<eclipse-workspace>/jguard-swing-example/conf/jGuardUsersPrincipals_0.90.dtd", "read";
	
	permission javax.security.auth.PrivateCredentialPermission "net.sf.jguard.core.authentication.credentials.JGuardCredential net.sf.jguard.core.principals.JGuardPrincipal \"*\"","read";
        permission javax.security.auth.AuthPermission "modifyPrincipals";
        permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
        permission javax.security.auth.AuthPermission "modifyPublicCredentials";
};

grant codeBase "file:/<eclipse-workspace>/jguard-core/eclipse-bin/-" {

	permission javax.security.auth.PrivateCredentialPermission "net.sf.jguard.core.authentication.credentials.JGuardCredential net.sf.jguard.core.principals.JGuardPrincipal \"*\"","read";
        permission javax.security.auth.AuthPermission "modifyPrincipals";
        permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
        permission javax.security.auth.AuthPermission "modifyPublicCredentials";
};

grant codebase "file:/<M2_REPO>/-" {

	permission java.util.PropertyPermission "org.apache.xerces.xni.parser.XMLParserConfiguration", "read";
	permission java.util.PropertyPermission "java.home", "read";
	permission java.util.PropertyPermission "org.dom4j.QName.singleton.strategy", "read";
	
	permission java.io.FilePermission "<JDK_HOME>/jre/lib/xerces.properties", "read";
	permission java.io.FilePermission "<eclipse-workspace>/jguard-swing-example/eclipse-bin/log4j.xml", "read";
	permission java.io.FilePermission "<JDK_HOME>/jre/lib/xerces.properties", "read";
	permission java.io.FilePermission "<M2_REPO>/log4j/log4j/1.2.12/log4j-1.2.12.jar", "read";
	permission java.io.FilePermission "\\conf\jGuardUsersPrincipals.xml", "read";
};

replace

~~ <eclipse-workspace> ~~ , ~~ <M2_REPO> ~~ , ~~ <JDK_HOME> ~~
by your own value

Configure java.login.config

  • open java.login.config located in /jguard-swing-example/conf/
  • modify authenticationXmlFileLocation property as //jguard-swing-example/conf/jGuardUsersPrincipals.xml

Configure jGuardPrincipalsPermissions.xml

  • open jGuardPrincipalsPermissions.xml located in /jguard-swing-exampleconf/
  • modify the FilePermission in the full domain to point to an existing file

Create a new run configuration on jguard-swing-example :

Add as vm argument the following (replace M2_REPO and eclipse-worskpace) : 

-Xbootclasspath/a:<M2_REPO>/jguard/jguard-core/0.90beta5-SNAPSHOT/jguard-core-0.90beta5-SNAPSHOT.jar
-Xbootclasspath/a:<M2_REPO>/jguard/jguard-ext/0.90beta5-SNAPSHOT/jguard-ext-0.90beta5-SNAPSHOT.jar
-Xbootclasspath/a:<M2_REPO>/log4j/log4j/1.2.12/log4j-1.2.12.jar
-Xbootclasspath/a:<M2_REPO>/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
-Xbootclasspath/a:<M2_REPO>/jaxen/jaxen/1.1-beta-6/jaxen-1.1-beta-6.jar
-Xbootclasspath/a:<M2_REPO>/commons-lang/commons-lang/2.1/commons-lang-2.1.jar
-Xbootclasspath/a:<M2_REPO>/ehcache/ehcache/1.1/ehcache-1.1.jar
-Xbootclasspath/a:<M2_REPO>/commons-jexl/commons-jexl/1.0/commons-jexl-1.0.jar
-Djava.security.manager
-Dnet.sf.jguard.policy.configuration.file=<eclipse-workspace>/jguard-swing-example/conf/jGuardPolicy.xml
-Djava.security.debug=access:failure

Run

  • log with admin/admin, try to read the file you set in jGuardPrincipalsPermissions.xml. It succeeds.
  • log with guest/guest, try to read the file you set in jGuardPrincipalsPermissions.xml. It fails.
Version 1.2 last modified by Charles Gay on 16/12/2006 at 01:35

Comments 0

No comments for this document

Attachments 0

No attachments for this document
Menu

 
Creator: Charles Gay on 2006/12/16 01:35
jGuard team copyright 2004-2007
1.1.1